Legal Duties to Protect Information and Networks

Although the hypothetical situation involving this Canadian dam might seem extreme, a finding of liability may not be so far-fetched. When persons have been harmed by unknown (or judgment-proof i.e., insolvent) third persons, courts have extended liability to other, more solvent defendants whose action or inaction made it possible for these third persons to harm the victim on the defendant's property. The primary examples are premises liability cases, in which victims of robberies, muggings, or other crimes perpetrated upon them in motels, apartments, or shopping malls have sued the owners and managers of these premises for failing to maintain adequate security or failing to make the victims aware of the risks of entering the premises. In such cases, plaintiffs pursue businesses whose pockets are likely deeper (or easier to find) than those of the criminals who perpetrated the crimes upon them. One common argument in such cases is that these businesses are liable because the presence of criminals (and potential harm to the victims) was foreseeable, and the businesses had a duty to protect the plaintiff from that harm.

As noted in some of the examples below (such as the Exigent and C.I. Host cases), plaintiffs have already filed lawsuits against third parties whose networks, after being compromised, were used to launch attacks against victims. Unfortunately, in the post-September 11 reality, the issue of "foreseeability" has taken on new meaning. An article in the New York Law Journal identified a host of entities against which plaintiffs might file suits arising from the September 11 terrorist attacks, if they chose to forgo their rights to recover from the September 11th Victim Compensation Fund of 2001:

[T]he possible defendants are American Airlines and United Airlines, and various companies and organizations that participated in security work for the hijacked flights, Argenbright, Globe Aviation Services, Huntleigh USA Corp., Massport, Port Authority of New York and New Jersey (which directed some twin towers' employees to return to their desks), New Jersey, Metropolitan Washington Airports Authority, and the U.S. government for the activities of Air Traffic Control.[1]

[1] Kreindler, "Pros and Cons of Victims Funds," New York Law Journal, November 28, 2001.

Even though, as noted by the author of this article, the Act that authorized this fund may make it risky to sue these defendants,[2] at least one lawsuit has been filed to date against United Airlines.[3]

[2] Id.

[3] Mariani v. United Airlines, Inc., filed in the United States District Court for the Southern District of New York.

In light of the foreseeability of hacker attacks (which are increasing every year), gaps in information security can cause serious legal problems for a corporation with respect to third-party liability claims and the resulting potential for director and officer liability.

Third-party claims can stem from breach of contract, violation of statutes that mandate the adoption of information-security measures, or common-law theories such as negligence. Losses arising from these third-party claims (or for direct losses to a company's assets, even if no third-party claims are asserted) can lead to claims against corporate officers and directors for breach of the fiduciary duty they owe to a corporation and its shareholders.

Breach-of-contract suits are perhaps most likely to arise out of contract clauses concerning confidentiality and security over information a company receives from a third party, such as a customer, vendor, or business partner. Virtually all service, software, alliance, joint venture, and nondisclosure agreements contain such confidentiality clauses. These clauses require each party to protect shared information, and they provide that if one party fails to do so, it shall indemnify the other party for loss due to that failure. If an unscrupulous third party gains access to confidential information of another party that has been stored electronically and was inadequately protected by the receiving party, the receiving party faces liability. For example, if company A shares a proprietary formula or design with company B under a joint venture agreement, and the joint venture agreement contains a confidentiality clause, company B may be liable to company A if a third party breaks into company B's network and finds (or steals) company A's proprietary formula or design.

Although these contract clauses were designed for the days when confidential information was exchanged in paper form and kept in locked file cabinets, much confidential information is exchanged and stored electronically. Given that an electronic "break-in" can be more surreptitious and take less effort than a physical break-in, such records may be at greater risk today than in the past.

Other circumstances in which a breach of security may result in breach-of-contract liability include hosting or collocation situations in which the hosting company's contract commits to a given level of security (even if stated as "reasonable security"). Such clauses have become increasingly common, as hosting companies seek to distinguish themselves in the marketplace by offering service-level agreements or "secured hosting" arrangements.

A second possible basis for liability is the host of new federal statutes that require companies to maintain reasonable security measures for sensitive information such as health care and financial information. HIPAA, the Gramm-Leach-Bliley Act ("GLBA"), and a growing number of federal statutes require companies to employ strong information security to protect sensitive information. The Security Regulations for HIPAA require affected entities (Health Care Providers, Health Plans, and Health Care Clearinghouses) to protect covered health information (known as Protected Health Information, or PHI) by adopting a "four-corner" security model that consists of administrative safeguards, physical safeguards, technical security services, and technical security mechanisms.[4] GLBA applies to customer financial information received and stored by financial institutions such as banks and savings and loans. GLBA and its implementing regulations (the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information,"[5] or "Guidelines") contain security standards referred to as the "financial institution safeguards." Section III.C.1. of the Guidelines states that regulated institutions must consider the following information-security measures for customer financial information:

[4] 42 CFR 142.306.

[5] Published at Federal Register, Vol. 66, No. 22, February 1, 2001, pp. 8616-8641.

  1. Access controls on customer information systems;

  2. Access restrictions at physical locations containing customer information;

  3. Encryption of electronic customer information;

  4. Procedures to ensure that system modifications do not affect security;

  5. Dual control procedures, segregation of duties, and employee background checks;

  6. Monitoring systems to detect actual attacks on or intrusions into customer information systems;

  7. Response programs that specify actions to be taken when unauthorized access has occurred; and

  8. Protection from physical destruction or damage to customer information.

A third possible basis for liability includes common-law theories such as negligence. Under legal theories such as products liability and premises liability, a party may be held liable because its products or premises were used by one party to harm another. Most of these legal theories became established law after courts witnessed a sustained pattern of losses for example, products liability flourished in part because of the industrial revolution and poorly designed products. If history is any indication, courts will begin to accept the theory that a party may be liable for harm to another party's systems caused by the first party's failure to maintain adequate information security.

In fact, such cases are already heading to the courts. Exigent (a software developer) filed suit in Europe against a German university and a Swedish hosting company after a hacker broke into Exigent's network and stole proprietary source code using accounts at the German university and the ISP.[6] In a U.S. case, Texas-based C.I. Host sued Exodus because the latter's servers were used to launch several denial of service attacks against C.I. Host. A commentator on the case aptly noted the impact of the litigation on Exodus:[7]

[6] Computer Security Institute, 2001 CSI/FBI Computer Crime and Security Survey at p. 7.

[7] "See You In Court," CIO Magazine at p. 62 (November 1, 2001).

C.I. Host's lawyers did convince a Texas judge to issue a temporary restraining order shutting down three of the Web servers involved in the attack until the companies could prove the vulnerabilities had been fixed. This messy and confusing case pitted not just rival against rival but victim versus victim. Although the attacks lasted only a couple of days, it took seven month's worth of legal fees, not to mention time and energy, to close the case.

This scenario and other similar ones are likely to play out with increasing frequency as more companies suffer public outages and thefts as a result of security breaches.[8] (Emphasis added.)

[8] Id.

In the event that a company is sued under one or more of these theories, or that the company simply suffers internal losses from a breach of security (downtime, theft of intellectual property, etc.), corporate officers or directors might be sued for breach of fiduciary duty. Directors or officers are required to protect the assets of the company under this fiduciary duty to the corporation and its shareholders. Legal scholars have suggested that officers and directors must safeguard a company's information assets with the same degree of care that they apply to its physical assets:

The primary responsibility [for information security] remains with management, and failure to discharge this responsibility faithfully could result in personal liability for officers and directors. A standard that counsel might suggest is the "due diligence" standard: look at the company's security as if you were buying the company. (Emphasis added.)

Esther Roditti, Computer Contracts, Sec. 15:03[1], at p. 15 25 (Matthew Bender, 1999)

This fiduciary responsibility to protect information assets is also codified in a growing body of federal statutory law. Section III.A of the GLBA Guidelines requires the board of directors to approve an institution's security policy and then to:

...oversee the development, implementation, and maintenance of the bank's information security program, including assigning specific responsibility for its implementation and reviewing reports from management.[9]

[9] See, e.g., the Guidelines as adopted by the Office of Comptroller of the Currency, at 12 CFR I, Appendix B to Part 30.

Under Section III.F of the Guidelines, the board must then review its information-security program each year after its initial adoption.

Although several financial institutions requested that the Agencies remove these references to direct board responsibility from the Guidelines, the Agencies refused to do so. The official commentary to the Guidelines explains why the Agencies demanded board responsibility for information security:

Some commentators stated that each financial institution should be allowed to decide for itself whether to obtain board approval of its program...Still others suggested modifying the Guidelines to require only that the board approve the initial information security program and delegate subsequent review and approval of the program to either a committee or an individual. The Agencies believe that a financial institution's overall information security program is critical to the safety and soundness of the institution. Therefore, the final Guidelines continue to place responsibility on an institution's board to approve and exercise general oversight over the program.[10] (Emphasis added.)

[10] See "Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness," Part III, published at Federal Register, Vol. 66, No. 22, February 1, 2001, at p. 8620.

This begs the question of how officers and directors may satisfy their fiduciary duty to protect information assets. The basis of the fiduciary duty is the prudent man rule, which requires officers and directors to act with the duty of care of an ordinarily prudent person in a like position under the circumstances, and in a manner which is in the best interests of the corporation and the shareholders.

Officers and directors cannot, under the prudent man rule, fully delegate the responsibility for information security to the CIO or the IS department. Legal scholars who analyzed officer and director duties to respond to the last great IT threat (Y2K) stated that "officers and directors will have to go beyond simple reliance on a plan put together by their CIO" (Scott & Reid, The Year 2000 Computer Crisis, Sec. 6.05, at p. 6-59). Instead, as the official commentary to the GLBA Guidelines above notes, management likely has responsibility to approve and exercise general oversight over the program. Delegation may create a situation in which management assumes the IS department will make corporate decisions on information security, while the IS department is waiting on direction from management. This can result in a "paralysis by analysis" which stops information security policies from ever being adopted.

Past security surveys show that management can take action to reduce the risk of a security breach. According to the Information Security magazine 2000 Security Industry Survey, companies with information-security policies are substantially more likely to detect and respond to attacks: approximately 66 percent of companies with policies detected and responded to attacks, versus 21 percent without such policies. The magazine's 2001 Security Industry Survey identified "budget constraints" as the number one obstacle to better information security (it tied for first with "lack of employee training/end user awareness").[11] Both of these are traditionally management-driven issues. For shareholders, government regulators, or other private litigants, the question of whether a company adopted adequate security measures will be determined by a jury's 20/20 hindsight.

[11] "2001 Security Industry Survey," Information Security magazine, at p. 44 (October 2001).



IT Security. Risking the Corporation
IT Security: Risking the Corporation
ISBN: 013101112X
EAN: 2147483647
Year: 2003
Pages: 73

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net